On 08/02/2017 07:40 AM, Igor Sever via FreeIPA-users wrote:
There is no gidNumber attribute on AD group objects. If I want to apply posix 
attributes directly in AD, then I don't need FreeIPA, do I...
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
It is obvious that FreeIPA integration with AD is not production ready, and 
probably never will be for numerous reasons, just like samba...

I suspect that the ID range automatically created for the AD trust was assigned a POSIX attributes range type, this can happen if any POSIX attributes exist in your environment. You can check this with 'ipa idrange-find'

The Range Type should be 'Active Directory domain range' for automatic SSSD ID mapping to be done not requiring POSIX attributes.

For me at least, the easiest way to fix is to remove the trust and re-add specifying the argument --range-type=ipa-ad-trust

   # ipa trust-del ad.domain
   # ipa idrange-del 'AD.DOMAIN_id_range'
   # ipa trust-add ad.domain --range-type=ipa-ad-trust

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#id-ranges

Kind regards,
Justin Stephenson

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to